is there a way to limit GRANT SELECT user#db with something like a WHERE?
I have variable "PROJECTID" to assess certain records to a particular project.
When user query all clients it should only show the clients from their projects. I do not want to change the interface for every user, so a select where statement will not help here.
Thanks in advance
I fear, there is no such thing.
But you could create database views using a WHERE condition and then give permissions to those views to your users.
Related
I'm currently in the process of implementing a monitoring system, part of which includes monitoring certain aspects of a MySQL database, such as:
The replication state of the given MySQL instance (sys table)
The number of records in database 1's table x (db1.tableX)
The sum total of a given attribute in another db's table (db2.tableY.column3)
These 3 things can be found using very simple queries:
SELECT viable_candidate FROM sys.gr_member_routing_candidate_status
SELECT COUNT(1) FROM db1.tableX
SELECT SUM(column3) FROM db2.tableY
However, this then requires a user account to be made with at least read access to 3 entire databases / tables.
Is there instead a way to limit access to the results of given queries only? I wondered about making an additional database which is somehow linked to the output of the above 3 queries, and then creating a new user with access only to this database, but I'm not sure what this technology is, or how it would work?
Thanks in advance!
Create a view based on each query and then grant only a select permission to such view.
Example:
CREATE VIEW dbo.view_name AS
SELECT viable_candidate
FROM sys.gr_member_routing_candidate_status
And then
GRANT SELECT ON dbo.view_name TO 'user1'#'localhost'
I want to protect my database better, because, if someone decompiles my program, he will have my sql uid and password and can use them to steal my data. How can I grant permissions to the sql user, that I use for my program, to SELECT and UPDATE only when there is a WHERE or a LIKE in the sql statement? Because if someone finds out the user, he can steal my whole table. Thanks.
This is allowed :
SELECT * FROM table WHERE username = 'username'
This is not allowed:
SELECT * FROM table
One of the advantages of using a Database View is that A database view helps limit data access to specific users. You may not want a subset of sensitive data can be queryable by all users. You can use a database view to expose only non-sensitive data to a specific group of users.
So, in theory, you might try something like
CREATE VIEW user_username AS SELECT * FROM table WHERE username = 'username'
in order to create separate views for every user of your application.
That being said, it is a very bad idea to do so. Also, if by decompiling, a user has access to a database containing ALL the users, the I am pretty sure there must be something wrong with the design of the application.
But, as very few details are given about the application in question, it is hard to advise as to how it should be done.
I have a MySQL instance set up on my machine and other users are connected to the database set up on my machine.
But whenever they do
Select * from table_name;
They are not able to see all the rows present in the table, whereas I am able to see.
All of them are able to see same number of rows.
I have granted them all privileges as well by using the following query.
grant all ON * . * TO 'username'#'hostname';
Any help would be appreciated.
Thanks in advance.
Yes.
Got the answer.
There is an option of toggle number of records limitations in mysql.
After clicking on that option, now they are able to see the number of rows.
Let's say we have a public DNA database running on mysql. Database contains only complete data. In this scenario, some special users want to add experimental data to the database, which may not be complete or they don't want it to be visible to everyone. Instead they want the experimental data to only be visible to users with correct privileges. What approach would you take to achieve this?
Presumably these datasets are large, and performance is important. That means the privilege system should be as coarse as possible.
If I were doing this, I'd create a "public" database, and use the MySQL GRANT command to allow guest users to SELECT on that database.
For example:
CREATE USER 'guest'#'%' IDENTIFIED BY 'changethispassword';
GRANT SELECT ON public.* TO 'guest'#'%';
Then, for the nonpublic datasets, I'd put them into other databases, and be more selective about the users GRANTed privileges. For example, these GRANTs give two different users access to private information and the public information.
CREATE USER 'venter'#'%' IDENTIFIED BY 'changethispassword';
GRANT SELECT ON public.* TO 'venter'#'%';
GRANT SELECT ON celera.* TO 'venter'#'%';
CREATE USER 'collins'#'%' IDENTIFIED BY 'changethispassword';
GRANT SELECT ON public.* TO 'collins'#'%';
GRANT SELECT ON hgp.* TO 'collins'#'%';
A user who has SELECT privileges on, let us say, the public database and the celera database, can issue queries like this allowing seamless (if not optimally performing) merging of private and public data.
SELECT whatever
FROM public.AGCT
UNION ALL
SELECT whatever
FROM celera.AGCT
Of course, it has to make scientific sense to take the union of these datasets. That may or may not be the case.
Don't be alarmed at the idea of creating multiple databases. They really are nothing more complex than directories in a computer file system. A single server can deliver dozens of them without any problems.
MySQL is definitely up to this kinds of security. Hosting providers run multi-tenant servers routinely.
I would consider MariaDB (a MySQL-compatible database written by MySQL's founder) over MySQL, as it supports roles.
Neither of them support Row Security like Oracle does, but you can mimic it by adding an "owner" column with the name of the role that can select/update the row.
Add a WITH CHECK OPTION view that checks that the current_user is in the role specified in that column.
Add a trigger to set owner value properly.
update: If you can't alter the table but can add new ones, add a new one w same key as original, and add owner column, and join the tables in your view.
See
http://www.sqlmaestro.com/resources/all/row_level_security_mysql/
I would like to understand how hard this is to implement.
In unix, there are unix groups where certain people with a group can access certain folders and files.
I would like to apply the same concept into MYSQL where people could only access, view certain tables or even same tables but different rows ...
How can I achieve this? Would I have to use a different database system?
Gordon
This is a very common and simple approach. You can create users and specify which databases/tables they can access and what type of operations they can execute. See the mysql documentation on this
For instance:
--create the user
CREATE USER 'gordon'#'localhost' IDENTIFIED BY 'yourpassword';
--specify table and specific operations for that user
GRANT SELECT,UPDATE,DELETE,INSERT ON database.table TO 'gordon'#'localhost';